Re: Xen security updates on Wheezy
On 2016-03-26 01:36:43, Brian May wrote:
> Antoine Beaupré <firstname.lastname@example.org> writes:
>> They seem to hold, although I have yet to test them in production. One
>> thing I noticed is that they don't seem to fix CVE-2015-8104 and
>> CVE-2015-5307, ie. that the patches you posted in
>> <email@example.com> were not factored into the
>> package. That would seem to be important (and maybe we could push those
>> back towards the Ubuntu folks as well).
> That is correct, I had two patches previously that I did not incooporate
> -rw------- 1 brian brian 5277 Mar 26 16:26 CVE-2015-2752.diff
> -rw------- 1 brian brian 4666 Mar 26 16:26 CVE-2015-8104+CVE-2015-5307.patch
> I believe CVE-2015-2752.diff is already patched in the Ubuntu version,
> so we don't need to worry it.
Those two patches actually *are* in the patch series in the packages you
built, as xsa125-4.2.patch and xsa156-4.2.patch, respectively. So
obviously, those patches don't apply. :)
In other words, I believe your package build is complete.
> Curiously the Ubuntu version declares it has fixed CVE-2015-5307 but not
> CVE-2015-8104 - so it is possible this means the above patch will not
> apply cleanly.
Hmm... maybe an oversight on their part. XSA-156 is composed of two
distinct vulnerabilities which got assigned the two CVEs above. The
xsa156-4.2.patch explicitly fixes both of those issues.
> Then there are just these three CVEs unaccounted for (and possibly don't
> - CVE-2014-5146 (marked No DSA)
> - CVE-2014-5149 (marked No DSA)
> - CVE-2014-8341 (marked No DSA)
I assume you mean CVE-2015-8341 for the latter. :) For that one, i
agree with no-dsa, it may be even not-affected, actually.
For the other two, I am not sure. Given the number of fixes we are
backporting, however, i am tempted to agree with the assesment ("too
intrusive to backport"), given the lag we're having with all this.
I also note that 3 more vulnerabilities came up in Xen since I looked at
this, so I need to sit down to filter through those again.
I'll send a debdiff when i'm done.
It is the greatest of all mistakes to do nothing because you can only
do little. Do what you can.
- Sydney Smith